Typed passwords are no defense

Apr. 22, 2014 - 06:00AM
|

Andrew Borene (American University)

ADVERTISEMENT

With the flick of his wrist and a few keystrokes, Edward Snowden hand-typed other people’s passwords and initiated data downloads in what has become the greatest national security information breach in U.S. history.

According to a Reuters report, Snowden “persuaded between 20 and 25 fellow workers” at the National Security Agency to give him their passwords. He used those credentials to copy information on classified programs that he was never authorized to see.

Director of National Intelligence James Clapper declared that the resulting leaks put “the lives of members or assets of the intelligence community at risk as well as our armed forces, diplomats, and citizens.” Rep. Mac Thornberry, of the House Armed Services Committee, said the damage done by Snowden “will certainly cost billions to repair.”

If biometric information such as voiceprints had been required as identity verification before allowing access to our nation’s most valued intelligence programs, Snowden’s victims might still be employed, our national secrets might still be protected, and Snowden himself may have been detected and arrested.

In the age of Siri, OnStar, voice-operated vehicles and award-nominated movies about humans falling in love with virtual assistants, this simple security for such vital secrets should have been fundamental. Yet, the public record indicates that our government’s national secrets are not yet protected with state-of-the-art security technologies used by private-sector institutions.

This Snowden debacle is just the latest evidence that the ubiquitous keyboard-only password regime is grossly insufficient. People all around the world suffer from password losses, compromise or theft. In 2013 alone, more than 6 million passwords were compromised at LinkedIn and more than 150 million passwords were compromised at Adobe. Yet we still rely on the typed password.

Snowden showed the world how data breaches by unauthorized individuals can hurt government secrecy, but for individuals that damage can mean stolen identities and for companies it can mean stolen intellectual property and lost profits. These are not just moral costs, but significant economic losses.

(Page 2 of 2)

Cybersecurity experts tell us that the best possible security combinations incorporate elements of “something we know, something we have, and something we are.” Technology exists to add a security layer requiring people to say “my voice is my password,” or to briefly read a randomly generated phrase. It is already used by some leading private-sector organizations in the financial services sector.

A voiceprint is a measurable attribute as unique as a fingerprint or iris scan.

Using technology as simple as your telephone or a computer microphone, today’s algorithms can convert your voice, what is uniquely “you,” into an additional security tool. These modern biometric voice passwords could have prevented Snowden’s gravest breaches.

Some may argue that government or private-sector movement toward the use of biometrics has challenges to privacy and high costs for implementation. Nonetheless, in a world where vital national secrets live online and where the business of individual daily life is impossible without “logging on,” the costs of inaction are too great.

In the past, it was frequently the government that led technological innovation in the United States with large-scale research and development programs and implementations. Today, it is more often the private sector that serves as a laboratory for the best technologies. The same data protection tools that are increasingly used by the world’s leading banks and technology companies can help our government maintain the secrecy of important military plans and capabilities.

In their investigative exposé titled “Top Secret America,” journalists Dana Priest and William Arkin estimated that more than 850,000 individual Americans from almost 2,000 companies have been granted top-secret clearance and potential access to our nation’s operational secrets. It is feasible to enroll every one of those specially cleared individuals into a biometric library that would provide greater protection and accountability from costly breaches.

While that number may sound big, it is easily manageable from a technological standpoint. An estimated 40 million people are already enrolled users of voice biometrics to protect their financial assets and personal data. That population will grow exponentially as the benefits of added layers of protection become increasingly clear.

Let’s answer today’s cyber threats with new national technological resources. If we don’t demand enhanced cybersecurity protections, including individual biometrics, we may quietly lose more than government secrecy. America can lead the world in defending privacy and data security, and the technology exists today to make this a reality.■

Andrew Borene is director of National Security Solutions at Nuance Communications Inc. and advises the Center for National Policy’s cybersecurity programs. He is a former associate deputy general counsel at the Pentagon and served as a Marine Corps intelligence officer.